A popular design for central processing units is reduced instruction set computer (RISC) processors using pipeline architecture. With pipeline architecture, the tasks performed by a processor are broken down into a sequence of functional units referred to as stages or pipeline stages. Each functional unit receives one or more inputs from the previous stage and produces one or more outputs, which may then be used by a subsequent stage. Thus, one stage's output is usually the next stage's input. Consequently, all of the stages are able to work in parallel on different, although typically sequential, instructions in order to provide greater throughput.
Typical stages of a RISC pipeline include instruction fetch, register fetch, arithmetic execution, and write-back to registers. In order to improve performance, a pipeline receives a continuous stream of instructions fetched from sequential locations in memory using addresses that are typically stored in a program counter or other suitable device. When several instructions are concurrently executing and each pipeline stage is performing its designated task for one of these instructions, a single instruction can be executed approximately every processor clock cycle. This design offers greater efficiency than other architectures, such as Complex Instruction Set Computer (CISC), where an instruction is executed in more than one processor clock cycle. In general, the architectural concepts behind RISC and CISC designs greatly differ, as is appreciated by those of ordinary skill in the art.
Because of the many advantages of the RISC architecture, only a few of which are discussed above, RISC processors enjoy a wide variety of applications including safety critical environments such as transportation, health care, manufacturing, defense, and space environments. The increased use of RISC architecture in such applications demands improvements in the dependability of these processors; that they perform what is expected correctly with a very high degree of probability by tolerating failures.
A detectable fault may generate a processor error that is represented by a processor output that violates expectations. The error may either be due to a fault in the data or in the instruction execution control flow. The detection of control flow errors in RISC processors is considered by many to be difficult because of the nature of control flow errors and the amount of hardware overhead associated with constructing the requisite detection logic. Examples of control flow errors include processing an incorrect sequence of valid instructions, improperly decoding and/or improperly executing an instruction, and vectoring a processor to an incorrect address. Control flow errors can be hardware induced, such as the erroneous calculation of an address or the faulty operation of the decode logic, or software induced, such as by viruses. It is generally accepted that detectors used in detecting data related errors such as error correction codes (ECC) are not adequately successful in detecting control flow errors. Other error detection methods that have been proposed include master/checker, sink check, and signature monitoring.
In master/checker error detection systems, a duplicate set of logic is provided to check the operation of a system. In essence, a boundary is drawn around a functional block of a system with transfers across the boundary being checked via comparison with the duplicate logic circuit. This provides excellent error detection, but more than doubles the amount of logic required. In addition, master/checker systems are prone to common mode errors wherein both the master and checker logic circuits produce the wrong data or execute the wrong control sequence. In such cases, the outputs of both circuits are the same, and no error is detected when the two outputs are compared.
In sink check systems, a sink detection circuit tries to verify that a required action for a particular command is executed. For example, sink detection logic for verifying that a command to write to a register was executed may be implemented by monitoring the write enable control to the register. However, sink logic does not provide extensive error coverage and is generally limited to simple control systems.
In signature monitoring systems, an instruction is considered part of an execution thread that consists of a series of processor-level instructions, i.e., machine code, with a known instruction execution sequence. Since the sequence is determined by the design and development of the software, i.e., the computer program, that will ultimately be executed by the RISC processor, a unique signature can be derived based on the operation codes for those instructions during development. This is called the reference signature. The reference signature code is used to verify the proper instruction execution sequence during system operations. During operations, a current signature is computed and compared with a pre-computed reference signature. The two signatures should be identical in the absence of a control flow error. It is noted that there are two methods of signature monitoring commonly used: horizontal and vertical signature monitoring. Horizontal monitoring checks the signature of every instruction executed by comparing the current signature with the reference signature. This method provides low detection latency because it validates correct execution for every instruction, but requires that the reference signature be supplied with each instruction. Thus, a trade-off occurs between optimizing the ability to detect errors, or error coverage, and the amount of increased overhead due to saving and processing signatures for each instruction. Vertical monitoring, on the other hand, checks the signature of a set of instructions. This method only adds overhead to the control flow when the signature is checked, but causes error detection latency to increase. Detailed discussion of signature monitoring can be found in numerous publications, including J. P. Shen and K. Wilken, "Concurrent Error Detection Using Signature Monitoring and Encryption," 1.sup.st International Working Conference on Dependable Computers in Critical Applications, Santa Barbara, Calif. August (1989).
Current technical literature document signature monitor applications on CISC processors. However, these implementations are enhancements that are external to the processor itself. This type of external implementation reduces the error coverage potential for signature monitoring because it is difficult to capture state changes that affect instruction execution flow, i.e., control branch operations, where these changes are not communicated outside the processor.
Therefore, a heretofore unresolved need existed in the industry for a control flow error detection system and method that provides improved error detection in the instruction execution flow of RISC processors with minimum hardware overhead.